This topic provides instructions to define rule criteria by writing an EPL query. EPL is a declarative language for handling high-frequency time-based event data. It is used to express filtering, aggregation, and joins over possibly sliding windows of multiple event streams. EPL also includes pattern semantics to express complex temporal causality among events.
Write an advanced EPL rule when rule criteria is more complex than what you can specify in Rule Builder.
It is outside the scope of this guide to explain EPL syntax.
- For EPL Documentation, see http://www.espertech.com/esper/documentation.php.
- For the EPL Online Tool, see http://esper-epl-tryout.appspot.com/epltryout/mainform.htm
The following are prerequisites for adding an advanced rule:
- You must know Event Processing Language (EPL).
- You must understand ESA Annotations to mark which EPL statements are linked to generating alerts.
To add an Advanced EPL rule:
- In the Security Analytics menu, select Alerts > Configure.
Type a unique, descriptive name in the Rule Name field.
This name will appear in the Rule Library so be specific enough to distinguish the rule from others.
In the Description field, explain which events the rule detects.
The beginning of this description will appear in the Rule Library
Select Trial Rule to automatically disable the rule if all trial rules collectively exceed the memory threshold.
Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Work with Trial Rules.
- For Severity, classify the rule as Low, Medium, High or Critical.
To define rule criteria, write a Query in EPL.
Note: For all meta key names, use an underscore not a period. For example,
ec_outcomeis correct but
If a rule should generate an alert, include this ESA annotation in the syntax:
ESA provides two annotations. For details, see ESA Annotations.